search

Tencent / HaboMalHunter

HaboMalHunter is a sub-project of Habo Malware Analysis System (https://habo.qq.com), which can be used for automated malware analysis and security assessment on the Linux system.
Other
725 stars 220 forks source link

Any Malware Compiled with PIE would Evade Dynamic Analysis #23

Open ZhangZhuoSJTU opened 5 years ago

ZhangZhuoSJTU commented 5 years ago

Current, HaboMalHunter uses file command output to check whether target is executable here. However, file command would regard any executable complied with PIE as shared object.

That means HoboMalHunter would not run dynamic analysis for any malware compiled with PIE.

Example

Following are two executables from the same source code and compiled w/ and w/o "-no-pie" flag.

$ cat test.c
#include<stdio.h>
int main() {
    puts("test pie");
}

$ gcc -v
Using built-in specs.
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-linux-gnu/7/lto-wrapper
OFFLOAD_TARGET_NAMES=nvptx-none
OFFLOAD_TARGET_DEFAULT=1
Target: x86_64-linux-gnu
Configured with: ../src/configure -v --with-pkgversion='Ubuntu 7.3.0-27ubuntu1~18.04' --with-bugurl=file:///usr/share/doc/gcc-7/README.Bugs --enable-languages=c,ada,c++,go,brig,d,fortran,objc,obj-c++ --prefix=/usr --with-gcc-major-version-only --program-suffix=-7 --program-prefix=x86_64-linux-gnu- --enable-shared --enable-linker-build-id --libexecdir=/usr/lib --without-included-gettext --enable-threads=posix --libdir=/usr/lib --enable-nls --with-sysroot=/ --enable-clocale=gnu --enable-libstdcxx-debug --enable-libstdcxx-time=yes --with-default-libstdcxx-abi=new --enable-gnu-unique-object --disable-vtable-verify --enable-libmpx --enable-plugin --enable-default-pie --with-system-zlib --with-target-system-zlib --enable-objc-gc=auto --enable-multiarch --disable-werror --with-arch-32=i686 --with-abi=m64 --with-multilib-list=m32,m64,mx32 --enable-multilib --with-tune=generic --enable-offload-targets=nvptx-none --without-cuda-driver --enable-checking=release --build=x86_64-linux-gnu --host=x86_64-linux-gnu --target=x86_64-linux-gnu
Thread model: posix
gcc version 7.3.0 (Ubuntu 7.3.0-27ubuntu1~18.04)

Compiled with PIE

pie.zip

$ gcc test.c -o pie
$ file pie
pie: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/l, for GNU/Linux 3.2.0, BuildID[sha1]=1d677eb3a12c5b5fe6d135fe815efde29474e5ad, not stripped

Analysis result of Habo is available here

Compiled without PIE

nopie.zip

$ gcc test.c -no-pie -o nopie
$ file nopie
nopie: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/l, for GNU/Linux 3.2.0, BuildID[sha1]=701f6befacfc89af3debea2ce2bfa4c3a74bb371, not stripped

Analysis result of Habo is available here

jingleyang commented 4 years ago

Thank you very much. And may I ask for your help to address this issues. Could you please contribute a pull request to handle this bug?

f0wl commented 4 years ago

For Reference: With file 5.36 I'm getting this output

$ file -v
file-5.36
magic file from /etc/magic:/usr/share/misc/magic
$ file pie
pie: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=1d677eb3a12c5b5fe6d135fe815efde29474e5ad, not stripped
NicoleG25 commented 3 years ago

Is there any plan to address this ? Please note that CVE-2019-13125 was assigned to this issue. Thanks in advance @f0wl @jingleyang